Juniper JunOS
Juniper makes lots of stuff, but are probably most widely known for their firewall products. Here we look at some basic management of the SRX line, which runs JunOS
hook to console
On the front of your SSG there will be a console connection, which usually fools you because it looks like a normal network port, but really it’s a serial connection that just LOOKS like a network port.
- you have to go find an adapter that will connect a CAT5 cable to a serial cable, sometimes you can find them in the Juniper box, but you can find them online for pretty cheap too
- On mine I had to then convert the serial connection to a USB, since my laptop only has USB, and no serial. I got a Tripplite one, which I think I found here I think for about $20. On Windows 7 I had to download the driver too from here, which I think is really for Windows 8, but it worked.
- you have to have a terminal program on your laptop that can talk over a serial connection. I used TeraTerm, which I downloaded from Sourceforge here
- Once I installed the driver and hooked up the USB -> serial -> CAT5 adapter -> CAT5 cable -> SSG console port, then I started TeraTerm with the following settings:
- COM3 (well, on mine it was just the next COM above the ones it used to show before I installed the Tripplite driver, which happened to be COM3), Baud rate: 9600, data 8 bit, parity: none, stop: 1 bit, flow control: none.
- if it worked and you’re connected, you should hit
a couple times and it should give you a login: prompt.
SRX
SRX platform runs JunOS, which is a BSD, versus the old ScreenOS, so it’s a lot different.
When you boot the platform, it takes about 3 minutes to come up all the way, which seems like forever. Even after the interface lights come up it’s not done booting yet
You can use a Cisco style console cable, which is an RJ-45 ethernet looking cable on one end, and a serial 9-pin on the other end, which you plug into a USB -> Serial dongle, like a Tripp-Lite USA-19HS that you plug into your laptop. If you’re using a Mac do ls /dev/tty* and find something that looks like /dev/tty.USA19H141P1.1, that’s the console you want to connect to. Then do:
screen /dev/tty.USA19H141P1.1 <enter> login: root password: switchname% cli switchname> config Entering configuration mode [edit] switchname# |
Here are some common commands you’ll use. You’ll have to enter CLI mode to use them after you login. There’s also a web interface, which makes things easier to visualize.
command | what it does |
show config |
shows your configuration |
show system software |
Information for junos: |
show int terse |
shows your interfaces |
set protocols l2-learning global-mode switching |
changes to a layer 3 switch. You have to do this from the ‘configure’ mode. |
commit |
saves your last commands, you probably should do a commit-check first if you want to check it first. |
commit check |
tests your commands before you save them |
delete interfaces ge-0/0/0 unit 0 family inet address 192.168.20.2/24 |
removes that IP from that interface |
request system reboot |
reboots the box |
set interfaces ge-0/0/0 unit 0 family inet address 192.168.20.2/24 |
set the first interface to 192.168.20.2 netmask 255.255.255.0 |
Set your previously transparent switch (L2) to a normal Layer 3 router:
cli config #set protocols l2-learning global-mode switching set system host-name whateveryouwanttocallyourfirewall delete security zones security-zone BT interfaces ge-0/0/0 set security zones security-zone untrust set security zones security-zone untrust interfaces ge-0/0/0 set security zones security-zone trust1 set interfaces ge-0/0/0 unit 0 family inet address 192.168.20.2/24 #set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access set security zones security-zone trust1 interfaces ge-0/0/1.0 host-inbound-traffic system-services ping set security zones security-zone trust1 interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh set security zones security-zone untrust interfaces ge-0/0/0.0 rename interfaces ge--0/0/0.0 family inet 1.2.3.4/24 to address 5.6.7.8/24 |
troubleshooting JunOS
config t set security flow traceoptions file 10debug set security flow traceoptions flag basic-datapath set security flow traceoptions packet-filter MatchTraffic source-prefix 192.168.10.0/24 destination-prefix 0.0.0.0/0 commit exit exit tail -f /cf/var/log/10debug |
Look for bad things. When you’re done, do:
deactivate flow traceoptions packet-filter MatchTraffic deactivate flow traceoptions flag basic-datapath show flow traceoptions { file 10debug; inactive: flag basic-datapath; inactive: packet-filter MatchTraffic { source-prefix 192.168.10.0/24; destination-prefix 0.0.0.0/0; } } commit |
Resources: